Identity Management : Protecting the privacy of data and identity of users

We are moving from the information age to the participation age. In the new participation age, more people are joining the network and more network services are being delivered over the Internet. And yet, acceptance of web based services is hampered by the lack of consumer trust in
the system.

If I were having my first casual conversation with you, and told you that my name is John, and I’m over 18, you’d probably believe me. You’d have very few reasons not to. Say you met me again a few months later, and I told you that I’m originally from the United Kingdom, and that I like to play football. If you have a good memory, you might remember my face and associate my latest statements (preference for football and nationality) with those I made previously (my name and age).

If on the other hand, I’m sitting at my computer and I browse to your website, how do you know it’s me, John ? What if I fill out a form on your site and tell you that I’m only 19 years old, and that I like soccer. How about if I come to the same website again in a few months – how does the website know it’s John again ? What if I ask you to lend me a lot of money, either in person or via email ? You’d probably want to know a bit more about me than my name, nationality and hobbies !

In the ‘offline’ world, where we can (sometimes) see each other, we often make fairly quick decisions to trust each other, particularly when it comes to sharing basic information. But when the value of this information increases (when I ask you for a lot of money for example) or when we can’t see each other (on the Internet) such decisions should be made with a little more care, as there are fewer cues to aid anyone relying on that trust. Consumers are, perhaps wisely in this case, wary of providing information on the internet as they wish to protect their privacy and identity from being misused by fraudsters. Consumers don’t want fraudsters to take on their identity (for example pretending to be you - John) and equally, they do not want to be sold something by John who turns out to be someone far less trustworthy.

Technology has been invented to solve problems associated with this kind of trust. For example, your Internet service provider (ISP) might offer you free access to a news service provider by some other website. This news website will need to know that users entitled to such free access are in fact who they say they are. In such a case, the website might depend on an identity claim issued by the ISP when one of its users first authenticates to the ISP. This illustrates single sign-on, where by authenticating to my ISP, I can now also get access to a partner of my ISP. Furthermore, my ISP is now willing to assert on my behalf to the news website that I am one of the ISPs users. This facilitates the reduction of "information silos" that users are compounded by nowadays where numerous unrelated network systems cannot interoperate. Often, users have to remember hundreds of user IDs, passwords and pin codes. With the single sign-on authentication process, services are enabled to recognise each other ; and their individual users.

Sun Microsystems work very closely with The Liberty Alliance Identity Federation and support the above notions – that a user can obtain access to multiple websites via a single sign-on, and that an identity provider (IdP) may make an assertion of my authenticated status to its service provider (SP) partners in a circle of trust. Identity providers may also make other identity claims about someone, based upon information that a person has given them in association with that person’s account held at the IdP. Equally, the user may control the behaviour of identity providers and service providers. For example, an SP may accept assertions issued by one of several identity providers, and the user of the SP can choose which identity to use. Or, the user can choose to retain high levels of privacy and be
anonymous to the service provider.

Unfortunately, this system is not currently the norm for most consumers and businesses. According to NTA Monitor Password Survey, UK ; (zdnet.com) a typical intensive IT user has a staggering 21 passwords. Of this sample, 49% write their passwords down or store them in a file on their PC. The majority of users, create their passwords from commonly used words and 67% rarely or never change their passwords. So is seems that although the technology to reduce the number of information silos is out there, there is still a high prevalence of consumers and businesses who have not yet taken up this opportunity, leading to a multitude of data that lacks even basic protection.

Aligned with this password confusion, is the cost to business. According to Gartner, in a nonautomated
support model, password reset costs range from $51 (best case) to $147 (worst case) for the labour alone. When you consider that in an average 10,000 employee size company, about 45% of help desk calls are for password resets (Metagroup) this is a huge and unnecessary waste of resources (financial / staff efficiency) to business. Single sign-on systems would help to eradicate this expense.

Requirements for privacy and data protections are being set by governments to tackle this problem but their impact for business and users is currently difficult to comprehend and comply with. According to the Sun Customer Survey, typical IT systems use ten different applications and services that contain identity profiles. Over 80% of companies were found to have no identity synchronisation solution. Not only is this inefficient (through disruptions) but it means that there is a greater likelihood of mismanagement of data with identity being updated in one service and not in another. Such discrepancies weaken the protection and validity for the entire security system.

According to Forrester, database security continues to be a top priority for enterprises, and it is mainly
driven by increased industry wide intrusions and growing regulatory requirements. New requirements on compliance (Sabanes-Oxley, Basel II) can only be met with end-to-end identity management and life cycle management of identity provisioning.

An open federated approach for network identity and trust management would guarantee privacy and security of the consumer’s information. This would in turn help the public to gain trust in these systems and finally increase the acceptance for network delivered services. Standards for federated identity implementations will allow companies to realise substantial business benefits, including :

In conclusion, the biggest concern to business and consumers alike is privacy. Privacy does not mean
no-one knows anything about me. It is about managing the faith between the supplier and the client by adhering to the agreed scope and holding the information in trust. With this in mind, this session will look at how businesses can ensure that their privacy and security policies are second to none, allowing them to see a return on their IT investment along with increasing operational efficiencies.